b'                   AUDIT REPORT\n                  Audit of NRC\xe2\x80\x99s Implementation of\n                          HSPD-12 Phase 2\n\n\n                    OIG-11-A-09 March 30, 2011\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                          March 30, 2011\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\'S IMPLEMENTATION OF HSPD-12\n                            PHASE 2 (OIG-11-A-09)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC\'s\nImplementation of HSPD-12 Phase 2.\n\nThe report presents the results of the subject audit. Informal comments provided by\nagency management at the March 21, 2011, exit conference have been incorporated,\nas appropriate, into this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Security and Information Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdwin M. Hackett, Executive Director, Advisory Committee\n  on Reactor Safeguards\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety\n  and Licensing Board Panel\nStephen G. Burns, General Counsel\nBrooke D. Poole, Director, Office of Commission Appellate Adjudication\nJames E. Dyer, Chief Financial Officer\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nR. William Borchardt, Executive Director for Operations\nMichael F. Weber, Deputy Executive Director for Materials, Waste,\n  Research, State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director\n  for Corporate Management, OEDO\nMartin J. Virgilio, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMary C. Muessle, Assistant for Operations, OEDO\nKathryn O. Greene, Director, Office of Administration\nPatrick D. Howard, Director, Computer Security Office\nRoy P. Zimmerman, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nCheryl L. McCrary, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nMiriam L. Cohen, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nCatherine Haney, Director, Office of Nuclear Material Safety\n  and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJames T. Wiggins, Director, Office of Nuclear Security\n  and Incident Response\nWilliam M. Dean, Acting Regional Administrator, Region I\nVictor M. McCree, Regional Administrator, Region II\nMark A. Satorius, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                                                          Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nEXECUTIVE SUMMARY\n\n\n\n                  HSPD-12 Requirements and Supporting Guidance for Federal\n                  Agencies\n\n                  Homeland Security Presidential Directive 12 (HSPD-12) is a Presidential\n                  directive issued in August 2004. HSPD-12 states that it is national policy\n                  to \xe2\x80\x9cenhance security, increase Government efficiency, reduce identity\n                  fraud, and protect personal privacy\xe2\x80\x9d by establishing common identification\n                  standards for all Federal Government employees and contractors.1\n                  Further, HSPD-12 directs executive branch agencies to use standardized\n                  identification to gain physical access to Federal facilities and logical\n                  access to Federal information systems. As a Federal executive branch\n                  agency,2 the U.S. Nuclear Regulatory Commission (NRC) is required to\n                  comply with HSPD-12 requirements.\n\n                  The Office of Management and Budget (OMB) is responsible for issuing\n                  implementation guidance and ensuring Federal agencies\xe2\x80\x99 compliance with\n                  this guidance. OMB is also responsible for ensuring agency compliance\n                  with technical standards issued by the Secretary of Commerce. The\n                  National Institute of Standards and Technology (NIST)\xe2\x80\x94an organization\n                  within the Department of Commerce\xe2\x80\x94established basic technical\n                  standards in Federal Information Processing Standards Publication 201\n                  (FIPS 201).3\n\n\n\n\n1\n Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal\nEmployees and Contractors, August 27, 2004.\n2\n    Title 5 U.S. Code \xc2\xa7105.\n3\n Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of\nFederal Employees and Contractors, National Institute of Standards and Technology, March 2006.\n\n\n                                                    i\n\x0c                                                             Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n                   FIPS 201 prescribes standards for verifying the identities of Federal\n                   employees and contractors,4 issuing identification cards known as\n                   Personal Identity Verification (PIV) cards,5 and managing data systems to\n                   support use of PIV cards.\n\n                   Identity, Credential, and Access Management\n\n                   Use of PIV cards is a basic element of a broader Federal Government\n                   initiative called Identity, Credential, and Access Management (ICAM),\n                   which aims to carry out specific provisions as well as the full intent of\n                   HSPD-12. ICAM programs have two main areas of operations: physical\n                   access control systems (PACS), which provide physical security at\n                   Federal facilities, and logical access control systems (LACS), which\n                   address the security of Federal computer networks.\n\n                   HSPD-12 Implementation at NRC\n\n                   NRC\xe2\x80\x99s Office of Administration (ADM) has primary responsibility for PACS\n                   implementation, including installation and maintenance of PIV card\n                   readers that control access at doors and other entry points at NRC\n                   facilities. At the end of this audit, NRC had completed installation of PIV\n                   card readers and the supporting data system within headquarters\n                   buildings. However, ADM staff told auditors that PACS deployment at\n                   NRC regional offices was ongoing and would likely continue through the\n                   first half of calendar year 2011.\n\n                   NRC\xe2\x80\x99s Office of Information Services (OIS) provides information\n                   technology support for PACS, and has primary responsibility for\n                   forthcoming efforts to implement LACS at employees\xe2\x80\x99 computer\n                   workstations. To implement LACS, NRC will equip employee workstations\n                   with PIV card readers, and the cards will authenticate users to NRC\xe2\x80\x99s\n\n\n\n\n4\n    FIPS 201 refers to this process as identity proofing.\n5\n Specifically, FIPS 201 describes PIV card elements, system interfaces, and security controls required to\nsecurely store, process, and retrieve identity credentials from the PIV card. Physical card characteristics,\nstorage media, and data elements that make up identity credentials are specified in this standard.\n\n\n                                                        ii\n\x0c                                                     Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n              network in lieu of multiple currently required application-specific\n              passwords. OIS has started a pilot LACS program and expects to begin\n              implementing the technology agencywide by the end of calendar year\n              2011.6\n\n\n\n\n              The audit objective was to assess whether NRC has effectively\n              implemented its ICAM programs.\n\n\n\n\n              NRC completed implementation of the PACS portion of its ICAM program\n              at headquarters facilities during calendar year 2010, and expects to\n              conclude this work at regional offices during the first half of calendar year\n              2011. All NRC staff and contractors eligible for the new PIV identification\n              cards required by HSPD-12 have obtained these cards, and NRC\n              continues to integrate PIV card technology with physical security upgrades\n              at its facilities. Further, NRC has begun piloting the use of LACS at\n              employees\xe2\x80\x99 computer workstations to enhance network security and\n              simplify the log-in process. Based on NRC\xe2\x80\x99s experience in transitioning to\n              the new PACS technology, OIG identified opportunities to facilitate the\n              NRC\xe2\x80\x99s LACS implementation through improved employee outreach and\n              training.\n\n\n\n\n              This report makes recommendations to facilitate NRC\xe2\x80\x99s adoption of new\n              information technology required for logical access control systems.\n\n\n\n\n              At an exit conference on March 21, 2011, agency management stated\n              their general agreement with the finding and recommendations in this\n              report. Agency management also provided supplemental information that\n              has been incorporated into this report. As a result, the agency opted not\n              to provide formal comments for inclusion in this report.\n\n6\n Two NRC computer applications\xe2\x80\x94the National Source Tracking System and the Safeguards Information\nLocal Area Network and Electronic Safe\xe2\x80\x94already employ LACS technology.\n\n                                               iii\n\x0c                                  Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ADM         Office of Administration\n\n       HSPD-12     Homeland Security Presidential Directive 12\n\n       ICAM        Identity, Credential, and Access Management\n\n       FIPS        Federal Information Processing Standards\n\n       FY          fiscal year\n\n       LACS        Logical Access Control System\n\n       NIST        National Institute of Standards and Technology\n\n       NRC         U.S. Nuclear Regulatory Commission\n\n       OIG         Office of the Inspector General\n\n       OIS         Office of Information Services\n\n       OMB         Office of Management and Budget\n\n       PACS        Physical Access Control System\n\n       PIV         Personal Identity Verification\n\n\n\n\n                             iv\n\x0c                                                         Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ........................................................................ i\n\n        ABBREVIATIONS AND ACRONYMS ................................................... iv\n\n        I.    BACKGROUND .............................................................................. 1\n\n        II.   PURPOSE ...................................................................................... 7\n\n        III. FINDING\n\n                   NRC CAN IMPROVE EMPLOYEE OUTREACH AND\n                   TRAINING IN PREPARATION FOR LACS IMPLEMENTATION ............... 8\n\n        IV. RECOMMENDATIONS ............................................................... 12\n\n        V.    AGENCY COMMENTS................................................................. 12\n\n\n        APPENDIX\n\n              SCOPE AND METHODOLOGY .................................................. 13\n\n\n\n\n                                                  v\n\x0c                                                             Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nI.         BACKGROUND\n\n                   HSPD-12 Requirements and Supporting Guidance for Federal\n                   Agencies\n\n                   Homeland Security Presidential Directive 12 (HSPD-12) is a Presidential\n                   directive issued in August 2004. HSPD-12 states that it is national policy\n                   to \xe2\x80\x9cenhance security, increase Government efficiency, reduce identity\n                   fraud, and protect personal privacy\xe2\x80\x9d by establishing common identification\n                   standards for all Federal Government employees and contractors.7\n                   Further, HSPD-12 directs executive branch agencies to use standardized\n                   identification to gain physical access to Federal facilities and logical\n                   access to Federal information systems. As a Federal executive branch\n                   agency,8 the U.S. Nuclear Regulatory Commission (NRC) is required to\n                   comply with HSPD-12 requirements.\n\n                   The Office of Management and Budget (OMB) is responsible for issuing\n                   implementation guidance and ensuring Federal agencies\xe2\x80\x99 compliance with\n                   this guidance. OMB is also responsible for ensuring agency compliance\n                   with technical standards issued by the Secretary of Commerce. The\n                   National Institute of Standards and Technology (NIST)\xe2\x80\x94an organization\n                   within the Department of Commerce\xe2\x80\x94established basic technical\n                   standards in Federal Information Processing Standards Publication 201\n                   (FIPS 201).9\n\n                   Personal Identity Verification\n\n                   FIPS 201 prescribes standards for verifying the identities of Federal\n                   employees and contractors,10 issuing identification cards known as\n\n\n\n7\n Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal\nEmployees and Contractors, August 27, 2004.\n8\n    Title 5 U.S. Code \xc2\xa7105.\n9\n Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of\nFederal Employees and Contractors, National Institute of Standards and Technology, March 2006.\n10\n     FIPS 201 refers to this process as identity proofing.\n\n\n                                                        1\n\x0c                                                           Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n                Personal Identity Verification (PIV) cards,11 and managing data systems to\n                support use of PIV cards. PIV cards are personalized with information\n                unique to each employee. The surface of each PIV card shows an\n                employee\xe2\x80\x99s photograph, name, agency, and affiliation (e.g., contractor,\n                military, or civilian employee). PIV cards also store electronic\n                information12 that is transmitted via card readers to data servers, which\n                use this information to confirm an employee\xe2\x80\x99s identity and access rights.\n                The physical access PIV card readers are contactless, meaning they can\n                read the information contained in PIV cards when an employee places\n                his/her PIV card on or near a reader\xe2\x80\x99s surface.13 Physical access PIV\n                card readers are typically connected to door locks, which are locked as\n                their default setting but unlock briefly when employees with appropriate\n                access rights apply their PIV cards to the readers. Security officers may\n                also use mobile, hand-held PIV card readers to control access in areas\n                without fixed entry points, such as hallways and elevator banks. Figures 1\n                and 2 illustrate a sample NRC PIV card, and describe the data elements\n                and their placement on the front and back sides as required by FIPS 201.\n\n\n\n\n11\n   Specifically, FIPS 201 describes PIV card elements, system interfaces, and security controls required\nto securely store, process, and retrieve identity credentials from the PIV card. Physical card\ncharacteristics, storage media, and data elements that make up identity credentials are specified in this\nstandard.\n12\n  Electronic information stored on PIV cards includes the Cardholder Unique Identifier; Personal\nIdentification Number; two biometric fingerprint templates; and authentication data including the PIV\nauthentication key, card authentication key, digital signature key, and key management key. PIV cards\nthemselves do not store personally identifiable information, such as social security numbers.\n13\n  Before NRC adopted PIV cards, the agency used identification cards that relied upon physical contact\nbetween the card and card reader interface to unlock doors.\n\n\n                                                     2\n\x0c                                Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n Figure 1: Sample NRC PIV Card (Front View)\n\n\n\n\nSource: NRC\n\n\n\n\n                           3\n\x0c                                              Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n              Figure 2: Sample NRC PIV Card (Back View)\n\n\n\n\nSource: NRC\n\n\n\n\n                                         4\n\x0c                                                          Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n                Figure 3 illustrates how PIV cards and fixed card readers are used to\n                unlock a door (note the green light on the card reader indicating that the\n                adjacent door is temporarily unlocked).\n\n                Figure 3: Photograph of PIV Card Use for Physical Access\n\n\n\n\nSource: NRC\n\n\n                NRC began issuing PIV cards to employees and contractors during early\n                2010,14 and requiring use of PIV cards for physical access to NRC\n                headquarters facilities beginning in July 2010.15 As of September 1, 2010,\n                NRC had issued PIV cards to 4,331 eligible staff and 1,236 eligible\n                contractors. This represents 100 percent of NRC and contractor\n                personnel with completed background checks who were eligible to obtain\n                PIV cards.\n\n\n\n\n14\n  In accordance with OMB guidance, Federal agencies must conduct background reviews of all\nemployees and contractors who are to be issued PIV cards.\n15\n   Installation of PIV card readers and supporting data systems at some non-headquarters facilities was\nstill underway at the conclusion of this audit. See Appendix, \xe2\x80\x9cScope and Methodology.\xe2\x80\x9d\n\n\n                                                    5\n\x0c                                                     Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n              NRC\xe2\x80\x99s Identity, Credential, and Access Management Programs\n\n              Use of PIV cards is a basic element of a broader Federal Government\n              initiative called Identity, Credential, and Access Management (ICAM),\n              which aims to carry out specific provisions as well as the full intent of\n              HSPD-12. ICAM programs have two main areas of operations: physical\n              access control systems (PACS), which provide physical security at\n              Federal facilities, and logical access control systems (LACS), which\n              address the security of Federal computer networks. NRC staff meet on a\n              regular basis with representatives from other Federal agencies to share\n              information and keep apprised of changing guidance that can impact\n              agencies\xe2\x80\x99 respective ICAM programs.\n\n              NRC\xe2\x80\x99s Office of Administration (ADM) has primary responsibility for PACS\n              implementation, including installation and maintenance of PIV card\n              readers that control access at doors and other entry points at NRC\n              facilities. At the end of this audit, NRC had completed installation of PIV\n              card readers and the supporting data system within headquarters\n              buildings. However, ADM staff said that PACS deployment at NRC\n              regional offices was ongoing and would likely continue through the first\n              half of calendar year 2011.\n\n              NRC\xe2\x80\x99s Office of Information Services (OIS) provides information\n              technology support for PACS, and has primary responsibility for\n              forthcoming efforts to implement LACS at employees\xe2\x80\x99 computer\n              workstations. To implement LACS, NRC will equip employee workstations\n              with PIV card readers, and the cards will authenticate users to NRC\xe2\x80\x99s\n              network in lieu of multiple, currently required application-specific\n              passwords. A primary objective of LACS is to enhance computer network\n              security by using digital certificates to verify the identity of network users in\n              lieu of multiple passwords, which can be forgotten by employees and are\n              more easily compromised. In addition, LACS may slightly enhance\n              workplace efficiency because NRC employees will have fewer passwords\n              to memorize and change on a routine basis. OIS has started a pilot LACS\n              program and expects to begin implementing the technology agencywide\n              by the end of calendar year 2011.16 Figure 4 shows an illustration of a\n              computer workstation PIV card reader.\n\n16\n   Two NRC computer applications\xe2\x80\x94the National Source Tracking System and the Safeguards\nInformation Local Area Network and Electronic Safe\xe2\x80\x94already employ LACS technology.\n\n                                                6\n\x0c                                             Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n            Figure 4: Computer Workstation PIV Card Reader\n\n\n\n\n      Source: NRC\n\n\n            NRC spent approximately $3.7 million over the Fiscal Year (FY) 2007-\n            2010 period on PACS implementation costs such as hardware, software,\n            data system certification and accreditation, and labor. NRC spent\n            approximately $2.4 million in FY 2010 for LACS implementation. NRC\n            expects to spend approximately $1.3 million over the FY 2011-2012 period\n            to operate and maintain PACS equipment, and to integrate it with LACS\n            infrastructure.\n\n\n\nII.   PURPOSE\n\n            The audit objective was to assess whether NRC has effectively\n            implemented its ICAM programs. See the report appendix for information\n            on the audit scope and methodology.\n\n\n\n\n                                        7\n\x0c                                                         Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nIII.    FINDING\n\n                NRC completed implementation of the PACS portion of its ICAM program\n                at headquarters facilities during calendar year 2010, and expects to\n                conclude this work at regional offices during the first half of calendar year\n                2011. All NRC staff and contractors eligible for the new PIV identification\n                cards required by HSPD-12 have obtained these cards, and NRC\n                continues to integrate PIV card technology with physical security upgrades\n                at its facilities. Further, NRC has begun piloting the use of LACS at\n                employees\xe2\x80\x99 computer workstations to enhance network security and\n                simplify the log-in process. Based on NRC\xe2\x80\x99s experience in transitioning to\n                the new PACS technology, the Office of the Inspector General (OIG)\n                identified opportunities to improve the transition to LACS technology. This\n                report makes recommendations to enhance employee outreach in\n                preparation for LACS implementation at NRC.\n\n                NRC Can Improve Employee Outreach and Training in Preparation\n                for LACS Implementation\n\n                Effective employee outreach and training are important steps in managing\n                technological and procedural changes at organizations. NRC conducted\n                limited outreach activities in preparation for PACS implementation.\n                However, additional outreach activities occurred several months after the\n                use of PIV cards became mandatory for physical access at NRC\n                headquarters. This delay occurred for two main reasons. First, NRC\n                lacked a communications plan for educating employees about PACS and\n                for coordinating outreach activities with PACS implementation schedules.\n                Second, some policies and procedures for using PACS equipment\xe2\x80\x94i.e.,\n                \xe2\x80\x9cuse case\xe2\x80\x9d 17 policies and procedures\xe2\x80\x94were still evolving after the\n                equipment\xe2\x80\x99s use became mandatory at NRC headquarters. This had\n                relatively minor effects on employee attitudes toward and understanding of\n                PACS use. However, NRC\xe2\x80\x99s forthcoming LACS implementation will\n                significantly impact policies and procedures for accessing NRC computer\n                networks. Consequently, NRC employees must have a clear\n                understanding of these policies and procedures to avoid disruptions that\n                could adversely affect employee productivity.\n\n17\n   \xe2\x80\x9cUse case\xe2\x80\x9d is a software and systems engineering term that describes how information technology will\nfunction in response to user behavior. In short, a \xe2\x80\x9cuse case\xe2\x80\x9d describes "who" can do "what" with\ninformation technology in specific scenarios or conditions.\n\n                                                   8\n\x0c                                   Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nOutreach and Training Are Key To Managing Technological and\nProcedural Change\n\nEffective employee outreach and training are important steps in managing\ntechnological and procedural changes at organizations. A draft version of\nICAM guidance recently circulated by the Federal Chief Information\nOfficers Council to NRC and other Federal agencies identifies outreach as\na key PACS implementation activity. Specifically, outreach \xe2\x80\x9cinvolves\nactively communicating to users that a new access control system is being\ndeployed, the benefits and efficiencies that users can expect, and any\nsteps necessary to begin using the new system. Informational materials\nneed to clearly communicate the right message to the appropriate\naudience.\xe2\x80\x9d The draft ICAM guidance also describes end user training as a\nrelated and highly important step. In particular, training materials \xe2\x80\x9cshould\nbe created with the end user in mind and training should be completed\nprior to PACS deployment to ensure that users are capable of accessing\nfacilities without undue disruption to the agency\xe2\x80\x99s mission.\xe2\x80\x9d The draft\nICAM guidance makes similar recommendations for LACS\nimplementation, and emphasizes LACS training \xe2\x80\x9cprior to LACS\ndeployment to ensure that users are capable of accessing protected\nresources without undue disruption to the agency\xe2\x80\x99s mission.\xe2\x80\x9d [Italics\nadded for emphasis.]\n\nPACS Implementation Had Limited Outreach and Training\n\nNRC conducted limited outreach activities and no formal user training in\npreparation for PACS implementation. NRC\'s primary means for\neducating staff about PACS were e-mail announcements, and two \xe2\x80\x9cTown\nHall\xe2\x80\x9d meetings during which NRC staff addressed NRC employees\xe2\x80\x99\nquestions about HSPD-12 as well as headquarters building construction\nand renovation. NRC staff produced a PowerPoint presentation\nexplaining PIV cards\xe2\x80\x99 purpose and use. However, this presentation\nappeared on the NRC Intranet in September 2010\xe2\x80\x94approximately 2\nmonths after NRC began requiring employees to badge in with their new\nPIV cards in July 2010. Similarly, NRC staff created placards to inform\npersonnel about PIV cards, but the placards were undergoing\nmanagement review in December 2010\xe2\x80\x94approximately 5 months after\nPIV cards became mandatory for physical access to headquarters\nbuildings.\n\n\n                              9\n\x0c                                                          Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n                NRC Lacked Communications and Training Plan in Preparation for\n                PACS Implementation\n\n                NRC conducted limited outreach and training in preparation for PACS\n                implementation for two reasons. First, NRC lacked a communications\n                plan for educating employees about PACS through different media and\n                coordinating outreach activities with PACS implementation schedules.\n\n                Second, some policies and procedures for using PACS equipment\xe2\x80\x94i.e.,\n                \xe2\x80\x9cuse case\xe2\x80\x9d policies and procedures\xe2\x80\x94were still evolving after the\n                equipment\xe2\x80\x99s use became mandatory. For example:\n\n                    Badge-in procedures changed after ADM staff realized that NRC\n                    employees were having difficulty placing their PIV cards properly on\n                    the card readers at pedestrian and vehicular entrances. In response,\n                    contract guards were instructed to take employees\xe2\x80\x99 PIV cards and\n                    badge them in.\n\n                    NRC activated new anti-tailgating sensors at select locations in\n                    September 2010, and required employees to follow specific anti-\n                    tailgating procedures.18 However, ADM staff acknowledged during this\n                    audit that the procedures were provisional and subject to change\n                    based upon lessons learned following the deployment of the anti-\n                    tailgating equipment.\n\n                Although NRC could develop physical access \xe2\x80\x9cuse case\xe2\x80\x9d policies after\n                PACS became operational with minimal inconvenience to employees, the\n                agency will not have this flexibility during LACS implementation. Unlike\n                physical access procedures that allow for visual authentication and\n                issuance of temporary identification cards, LACS will require a PIV card\n                for employees to access NRC\xe2\x80\x99s networks from their workstations. For\n                example:\n\n                1. If employees forget to bring their PIV cards to work, NRC must either\n                   develop a technical solution that enables them to access agency\n                   networks, or establish policies to account for lost work time.\n\n\n18\n  Anti-tailgating sensors are designed to detect individuals who follow others through doorways without\napplying PIV cards to the card readers.\n\n                                                   10\n\x0c                                                           Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n                2. Lost or stolen PIV cards present a different challenge since these\n                   circumstances require termination of a lost or stolen card. Employees\n                   must then obtain a new PIV card.\n\n                3. Some executive staff may be exempt from LACS policies; if so, NRC\n                   must specify the level of seniority that permits exemptions and apply\n                   this policy consistently across the agency.\n\n                Improved Outreach and Training Will Be Critical for LACS\n                Implementation\n\n                Despite challenges in NRC\xe2\x80\x99s transition to new PACS technology, auditors\n                found no material effect on NRC operations. Anecdotal evidence\n                suggests some staff regard PIV cards as a minor inconvenience and do\n                not understand NRC\'s requirements and conditions for PIV cards.\n                Further, NRC staff said that a few PIV cards are damaged on a weekly\n                basis through employee misuse.19 Nevertheless, NRC\xe2\x80\x99s plans to deploy\n                LACS technology will significantly impact policies and procedures for\n                accessing NRC computer networks. NRC staff are working to address\n                LACS \xe2\x80\x9cuse cases,\xe2\x80\x9d such as lost, stolen, or forgotten PIV cards, as well as\n                employees who have multiple job roles and access rights parameters. 20\n                NRC management is aware of these and other \xe2\x80\x9cuse case\xe2\x80\x9d challenges, but\n                must ensure they are resolved prior to LACS implementation to avoid\n                work-routine disruptions that could adversely affect employee productivity.\n\n\n\n\n19\n   PIV cards contain antennae coils to transmit data to contactless PIV card readers. These coils are\nfragile and cannot withstand repeated stress from flexing.\n20\n  At present, Federal PIV card security policies assume a principle of \xe2\x80\x9cone individual, one PIV card, one\nset of roles.\xe2\x80\x9d However, an NRC employee may have limited user rights in some NRC network\napplications while maintaining broader administrative rights in one or more applications.\n\n                                                    11\n\x0c                                            Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\n         Further, NRC employees and managers across the agency must\n         understand LACS policies and procedures so that employees are not\n         inadvertently denied network access, and do not compromise NRC\n         network security by inadvertently violating LACS \xe2\x80\x9cuse case\xe2\x80\x9d policies.\n\n\n\nIV.   RECOMMENDATIONS\n\n         OIG recommends that the Executive Director for Operations:\n\n         1. Create and implement a LACS communication and outreach plan that\n            targets NRC users through different media, and is coordinated with\n            LACS deployment schedules.\n\n         2. Require one-time mandatory LACS policy and procedure training for all\n            staff, managers, and contractors who require desktop access to NRC\n            networks, and make this training available in an on-demand format.\n\n         3. Establish clear \xe2\x80\x9cuse case\xe2\x80\x9d policies and procedures prior to LACS\n            deployment.\n\n\n\nV.    AGENCY COMMENTS\n\n         At an exit conference on March 21, 2011, agency management stated\n         their general agreement with the finding and recommendations in this\n         report. Agency management also provided supplemental information that\n         has been incorporated into this report. As a result, the agency opted not\n         to provide formal comments for inclusion in this report.\n\n\n\n\n                                      12\n\x0c                                         Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n                                                                              Appendix\nSCOPE AND METHODOLOGY\n\n       The audit objective was to assess whether NRC has effectively\n       implemented its ICAM programs. To address the audit objective, OIG\n       auditors attended briefings presented by NRC staff, NRC contractors, and\n       representatives from other Federal agencies. OIG auditors toured\n       facilities at the NRC headquarters complex, the NRC Region II office, and\n       the NRC Technical Training Center. During these tours, OIG auditors\n       observed new PACS equipment in use, tested it to ensure compliance\n       with NRC security plans, and questioned NRC staff and contract security\n       personnel about the equipment. OIG auditors also toured a contractor\n       facility that manufactures PIV cards for NRC and other Federal clients.\n       Further, OIG auditors conducted multiple interviews of NRC staff\n       representing ADM, OIS, and the Computer Security Office, as well as\n       contractor personnel who provide technical support to NRC.\n\n       OIG auditors reviewed pertinent guidance, including:\n\n          HSPD-12, Policy for a Common Identification Standard for Federal\n          Employees and Contractors, August 27, 2004.\n\n          OMB Memorandum M-05-24, Implementation of Homeland Security\n          Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification\n          Standard for Federal Employees and Contractors, August 5, 2005.\n\n          FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees\n          and Contractors, March 2006.\n\n          NIST SP 800-116, A Recommendation for the Use of PIV Credentials\n          in Physical Access Control Systems (PACS), November 2008.\n\n           Federal Identity, Credential, and Access Management Roadmap and\n          Implementation Guidance, Part B: Implementation Guidance Initial\n          Phase 1 ICAM Release Draft, November 19, 2010.\n\n          Orders for NRC headquarters contract security personnel.\n\n\n\n\n                                    13\n\x0c                                   Audit of NRC\xe2\x80\x99s Implementation of HSPD-12 Phase 2\n\n\n\nIn addition, OIG auditors reviewed contract documentation, budget data,\nand staff manpower data related to PACS and LACS implementation, as\nwell as Commission papers and other relevant internal planning\ndocuments. OIG auditors also reviewed documentation of efforts to\nensure PACS data system compliance with Federal information system\nsecurity requirements.\n\nOIG conducted this performance audit at NRC headquarters from\nSeptember 2010 through March 2011 in accordance with generally\naccepted Government auditing standards. Those standards require the\naudit to be planned and performed with the objective of obtaining\nsufficient, appropriate evidence to provide a reasonable basis for any\nfindings and conclusions based on the stated audit objective. OIG\nbelieves that the evidence obtained provides a reasonable basis for the\nreport findings and conclusions based on the audit objective. OIG\nreviewed and analyzed internal controls related to the audit objective.\nThroughout the audit, auditors were aware of the possibility or existence of\nfraud, waste, or misuse in the program. The audit was conducted by Beth\nSerepca, Team Leader; Paul Rades, Audit Manager; and Gail Butler,\nAnalyst.\n\n\n\n\n                             14\n\x0c'